Ubuntu 18.04加入Windows域

1、安装软件包

tt@demopc:~$ sudo apt install realmd sssd sssd-tools libnss-sss libpam-sss adcli samba-common-bin oddjob oddjob-mkhomedir packagekit -y

2、确保DNS能够正确解析域名

tt@demopc:~$ ping alphabook.cn

 

PING alphabook.cn (192.168.11.10) 56(84) bytes of data.

 

64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=1 ttl=128 time=0.146 ms

 

64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=2 ttl=128 time=1.01 ms

 

64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=3 ttl=128 time=1.09 ms

 

64 bytes from 192.168.11.10 (192.168.11.10): icmp_seq=4 ttl=128 time=1.54 ms

3、运行realm discover

tt@demopc:~$ realm discover alphabook.cn

 

alphabook.cn

 

  type: kerberos

 

  realm-name: ALPHABOOK.CN

 

  domain-name: alphabook.cn

 

  configured: no

 

  server-software: active-directory

 

  client-software: sssd

 

  required-package: sssd-tools

 

  required-package: sssd

 

  required-package: libnss-sss

 

  required-package: libpam-sss

 

  required-package: adcli

 

  required-package: samba-common-bin

4、加域，输入域管理员administrator的密码

tt@demopc:~$ sudo realm join alphabook.cn

 

Password for Administrator

5、可能遇到加域失败，报错信息：Insufficient permissions to join the domain，虽然使用的是域管理员账户administrator

根据提示，可查看更多报错信息如下：

Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Configuration file does not specify default realm)

adcli: couldn't connect to streamcomputing.com domain: Couldn't authenticate to active directory: SASL(-1): generic failure: GSSAPI Error: Unspecified GSS failure.  Minor code may provide more information (Configurationfile does not specify default realm)

Insufficient permissions to join the domain

该问题与DNS（反向DNS解析）有关，临时解决方法：创建/etc/krb5.conf（如果没有），并确保如下配置：

[libdefaults]

default_realm = alphabook.cn

rdns = false

6、加域成功后，可以查询Windows域账户信息

tt@demopc:~$ id administrator@alphabook.cn

 

uid=76800500(administrator@alphabook.cn) gid=76800513(domain users@alphabook.cn) groups=76800513(domain users@alphabook.cn),76801104(organization management@alphabook.cn),76800572(denied rodc password replication group@alphabook.cn),76800512(domain admins@alphabook.cn),76800519(enterprise admins@alphabook.cn),76800520(group policy creator owners@alphabook.cn),76800518(schema admins@alphabook.cn

7、修改sssd.conf配置（可选）

tt@demopc:~$ sudo vi /etc/sssd/sssd.conf

下面设置默认为True，可以修改为False，这样登陆系统时可以使用SamAccountName形式登录，例如administrator

use_fully_qualified_names = False

下面设置默认为/home/%u@%d，可以修改为/home/%u

fallback_homedir = /home/%u

8、解决Home目录创建问题（或者登录时闪退，根本问题是Home目录创建）

tt@demopc:~$ sudo vi /etc/pam.d/common-sessio

在这一行（session required pam_unix.so）下一行添加下面内容

session    required    pam_mkhomedir.so skel=/etc/skel/ umask=0022

9、重启系统，使用域用户登录

login as: administrator

 

administrator@192.168.11.207's password:

 

administrator@demopc:~$ id

 

uid=76800500(administrator) gid=76800513(domain users) groups=76800513(domain users),76800512(domain admins),76800518(schema admins),76800519(enterprise admins),76800520(group policy creator owners),76800572(denied rodc password replication group),76801104(organization management)

 

administrator@demopc:~$ whoami

 

administrator

 

administrator@demopc:~$ pwd

 

/home/administrator